Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Programmer’s Guide to Secure Connections

Similar presentations


Presentation on theme: "A Programmer’s Guide to Secure Connections"— Presentation transcript:

1 A Programmer’s Guide to Secure Connections
Liz Rice

2

3

4 A guide to TLS connections
How do I set up secure connections? What do these error messages mean? What the hell are all these .crt, .key, .csr and .pem files? In distributed systems we might be using secure communications between components

5 Establishing identity is critical
Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Establishing identity is critical

6 Encrypted traffic prevents interception
Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Encrypted traffic prevents interception

7 TLS is a newer version of SSL
TLS is a newer version of SSL. SSL is now deprecated so even though people still talk about SSL

8 HTTP(S) runs over TCP Create TCP connection
“hi” blah blah blah “hi” TLS - encrypt TCP connection Skip if regular HTTP Create TCP connection Send HTTP packets on connection

9 “Connection refused” = wrong port
TCP connection :60401 :8080 “Connection refused” = wrong port (nearly always)

10 VerifyPeerCertificate
SYN Establishing TCP ACK HELLO <server name> HELLO GetCertificate (or Certificate) <Server certificate> Verify certificate, then call VerifyPeerCertificate HELLO DONE GetClientCertificate (or Certificate) <Client certificate> Verify certificate, then call VerifyPeerCertificate TLS Handshake Generate Pre-Master Secret <Pre-Master Secret> (encrypted with server key) Generate session key from Pre-Master Secret Generate session key from Pre-Master Secret Change cipher <session key> FINISHED FINISHED blah blah blah Symmetric encryption with session key Symmetric encryption with session key

11 Keys & certificates

12 Public / private key encryption
Public key can be freely distributed and is used to encrypt Private key must be kept private and is used to decrypt <encrypted> “hello” “hello” If I send you my public key, I can send you encrypted messages and you will be able to read them So will anyone else who has my public key

13 Public / private key signatures
Private key must be kept private and is used to sign message Public key is used to verify signature “hello” “hello” + + “hello” signature + signature = signature If I send you my public key, I can send you encrypted messages and you will be able to read them So will anyone else who has my public key

14 Need a trusted authority in common “Certificate Authority”
Sharing a public key Hi, I’m Liz. Here’s my public key. Why should I believe you? Need a trusted authority in common “Certificate Authority”

15 X.509 certificate This is to certify that liz-server has public key
abcdef CA Subject name Subject’s public key Issuer (CA) name Validity Certificate signed by issuer (CA)

16 Subject Name Your certs should use Subject alternative names (SAN)
Common Name deprecated in 2000 Chrome browser stopped supporting CN in April 2017 SAN supports multiple DNS names in one certificate

17 Creating keys & certificates

18 Trusted Certificate Authorities
Like Let’s Encrypt Known in system certificate pools Create a Certificate Signing Request openssl req -key private-key -new -out csr For public-facing domains Not for internal components in a distributed system

19 CLI tools openssl cfssl mkcert minica
See contents of certificate: openssl x509 -text Doesn’t easily support SANs (Subject Alternative Names) cfssl Comprehensive toolkit mkcert Local development Installs CA into your system & browsers minica Easy generation of key & certs

20 DER is an ASN-1 encoding format (TLV)

21 Mutually-authenticated TLS (mTLS)

22 Takeaways

23 To establish your identity
You will need: A private key A certificate for your identity The other end needs to trust the Certificate Authority that signed your certificate. This may require appending the CA’s certificate.

24 File extensions Inconsistently used
Information type : .crt for certificate, .key for private key... Or file format: .pem PEM files are base64-encoded and tell you what they contain openssl can tell you about the contents

25 Common error messages Connection refused
Check you’re connecting to the right port Certificate signed by unknown authority Received a certificate, but it’s not trusted Examine CA in certificate to see if it should be known to receiver Remote error It’s the other end that’s complaining

26 github.com/lizrice/secure-connections


Download ppt "A Programmer’s Guide to Secure Connections"

Similar presentations


Ads by Google